W3C home > Mailing lists > Public > public-web-perf@w3.org > October 2010

Re: [Open Issue] Privacy concern with Navigation Timing

From: Sigbjørn Vik <sigbjorn@opera.com>
Date: Fri, 22 Oct 2010 09:29:33 +0200
To: public-web-perf@w3.org
Message-ID: <op.vkyu3jky41y844@id-c0735.oslo.opera.com>
On Thu, 21 Oct 2010 19:00:56 +0200, Zhiheng Wang <zhihengw@google.com>  
wrote:

> On Thu, Oct 21, 2010 at 7:46 AM, Sigbjørn Vik <sigbjorn@opera.com> wrote:
>
>> I see the following note:
>> "Note: The relaxed same orgin policy doesn't provide sufficient  
>> protection
>> against unauthorized visits accross documents. In shared hosting, an
>> untrusted third party is able to host an HTTP server at the same IP  
>> address
>> but on a different port."
>> I must have missed this discussion, this is similar to the mail just  
>> sent
>> about cookie domains (here called relaxed same origin). I am not quite  
>> sure
>> I understand what "unauthorized visits accross documents" means?
>>
>
>     ah, right, I missed this in the discussion yesterday. cookie domain
> doesn't work in cases like shared hosting, e.g., I have my web site on
> my.hosting.com and
> yours on yours.hotsting.com. We probably don't want to share information
> between them.

Right, this is a potential problem. However, these domains already share  
cookies, and such domains are rarely used for sensitive data[1]. Timing  
information is not direct information either, only indirect, which at most  
indicates if a user is logged in or not.

My thought is that using a cookie domain will be of great benefit to  
developers, and that it has little real-life negative impact on websites.  
Do you foresee any practical problems doing this?

[1] Maybe with the exception of people putting their personal documents  
online to be available for themselves, but such use cases are unlikely to  
be tricked by spoofing.

-- 
Sigbjørn Vik
Quality Assurance
Opera Software
Received on Friday, 22 October 2010 07:30:02 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 21 December 2010 18:13:55 GMT